Friday, 2014-02-21

*** swann_ has joined #openstack-climate00:47
*** SergeyLukjanov2 has joined #openstack-climate00:55
*** SergeyLukjanov has quit IRC00:55
*** swann has quit IRC00:55
*** SergeyLukjanov2 is now known as SergeyLukjanov00:55
*** openstackgerrit has quit IRC01:18
*** openstackgerrit has joined #openstack-climate01:18
*** DinaBelova_ is now known as DinaBelova05:43
*** saju_m has joined #openstack-climate06:36
*** DinaBelova is now known as DinaBelova_07:58
*** bauzas has joined #openstack-climate08:18
*** saju_m has quit IRC08:31
*** saju_m has joined #openstack-climate09:01
*** DinaBelova_ is now known as DinaBelova09:01
*** saju_m has quit IRC09:02
*** saju_m has joined #openstack-climate09:21
*** chandan_kumar has joined #openstack-climate09:25
*** chandan_kumar has quit IRC09:51
*** chandan_kumar has joined #openstack-climate10:05
bauzasDinaBelova: hi10:18
bauzasDinaBelova: about how we should verify if user has enough rights for showing the result10:19
DinaBelovayes?10:19
bauzasDinaBelova: that's something looping into my mind for a certain amount of time :D10:19
bauzasDinaBelova: there are pros and cons10:20
bauzasDinaBelova: as we don't have conductors, the only correct way for placing a call to DB is to pass thru the manager10:20
bauzasDinaBelova: but we enforce context validation at the API level10:20
bauzasDinaBelova: the thing is, should we say that we should place a second call to the Manager for each call, just for verifying if user has rights ?10:21
bauzasDinaBelova: that's a penalty thing10:21
DinaBelovabauzas, I may even tell you10:22
DinaBelovathat now we have 2 requests to manager while updating for example10:22
bauzasDinaBelova: well you're right10:23
bauzasDinaBelova: but I was more likely thinking of a post-check10:23
DinaBelovabut that's not too much - speaking about the fact we're using RPC only to have possibility take resource by name10:23
DinaBelovanot by id10:23
DinaBelovathere are lots of calls10:23
bauzasDinaBelova: the idea is to loosely leave going thru the Manager for placing the call, and then only at the response time, check that the object matches the creds10:23
YorikSarbauzas: Hello10:24
bauzasYorikSar: hi10:24
DinaBelovabauzas, am I right that you propose to have smth like - user wants to update lease -> manager updates lease -> user has no rights -> it should be some kind of transaction to go back?10:25
DinaBelovaand i'm not about tenants10:25
DinaBelovabut also about admin rules10:25
DinaBelovaany other rules10:25
DinaBelovaetc.10:25
bauzasDinaBelova: mmm, you're right10:27
bauzasDinaBelova: at the moment, the check is done on the DB side10:27
YorikSarbauzas: I see about 3 ways for handling that "target" field. We can do as Dina suggested (and as it is done in Keystone); we can pass all necessary information for authorization to DB and let it filter out elements that user don't have access to; we can complete task and verify if we could do it afterwards judging by return value.10:27
YorikSarbauzas: The third one is how I understood your "post-check" proposal. Is it right?10:28
bauzasYorikSar: that's the 3 options I thought about, yes10:28
*** chandan_kumar has quit IRC10:28
bauzasYorikSar: the main thing is that option #3 is only working for GET10:28
bauzasso, that needs to be mixed with option #2 for PUT/POST10:28
bauzasYorikSar: DinaBelova: well, is it OK if you leave me thinking about your option #1 proposal this week-end ?10:29
YorikSarThe problem with the second one is that we can't translate everything we have configured in policy.json to DB layer.10:30
YorikSarThe 3rd option works only for GET, right... But it works only for getting single objects as for lists we have significant disadvantage in transfering e.g. list of all leases back and forth without knowing if user even have access to this list.10:31
DinaBelovabauzas, offtopic - do you have some kind of bio for Swann? I'm writing incubation proposal and I need info about all core contributors :)10:31
bauzasask him directly ^^10:32
bauzasswann_: ping10:32
DinaBelovaI asked :D10:32
DinaBelovahe's not answering :)10:32
bauzasDinaBelova: well, I'm just asking him directly :)10:32
bauzasprivilege of sharing desktops :)10:32
DinaBelovaфтв ерфеэы еру куфыщт ш фыл нщг Ж)10:32
DinaBelovawowowow10:32
swann_hey, what do you want to know about me :D ?10:33
bauzasDinaBelova: you're right :D :D :D10:33
YorikSarbauzas: Another issue with filtering in DB is that we cannot distinguish between missing elements and elements user don't have access to.10:33
bauzasYorikSar: yup, got your view10:33
YorikSarbauzas: We can actually push all information needed for auth to Manager so that we won't have extra RPC round-trip... But what's the purpose for API level then?10:35
YorikSarbauzas: I actually suggest postponing optimizing GET requests because we should have fully-functional policy checking and then optimize for performance, not vice versa.10:38
YorikSarbauzas: Just giving your more things to think about over the weekend :)10:39
bauzasYorikSar: that's great10:40
bauzasfood for thoughts10:40
*** bauzas has quit IRC10:53
Nikolay_Sthi all11:02
Nikolay_Stguys, does anyone use latest climate master in environment?11:02
Nikolay_Stmy vm's doesn't start :(11:02
*** DinaBelova is now known as DinaBelova_11:03
*** bauzas has joined #openstack-climate11:19
*** DinaBelova_ is now known as DinaBelova11:20
openstackgerritNikolay Starodubtsev proposed a change to stackforge/python-climateclient: Add test coverage for base client modules  https://review.openstack.org/7357411:38
*** Nikolay_St has quit IRC11:40
openstackgerritA change was merged to stackforge/climate: Remove explicit access to is_admin in context  https://review.openstack.org/7274211:46
openstackgerritA change was merged to stackforge/climate: Remove direct assignments of context attributes  https://review.openstack.org/7267311:46
*** bauzas has quit IRC13:03
*** casanch1 has joined #openstack-climate13:14
*** bauzas has joined #openstack-climate13:25
*** saju_m has quit IRC14:10
*** Nikolay_St has joined #openstack-climate14:43
*** chmartinez has joined #openstack-climate14:47
DinaBelovabauzas, casanch1, chmartinez, f_rossigneux, Nikolay_St, SergeyLukjanov, swann_ - meeting in 10 mins :)14:50
bauzasbauzas: I'm herer !14:50
bauzas:D14:50
DinaBelovaas usual on #openstack-meeting :)14:50
DinaBelovabauzas, wow :)14:51
DinaBelovacool :)14:51
DinaBelovaI remember you promised :)14:51
*** chmartinez_ has joined #openstack-climate14:52
bauzasDinaBelova: ^ ^14:52
openstackgerritSwann Croiset proposed a change to stackforge/climate: Reworking configuration options  https://review.openstack.org/7124314:53
SergeyLukjanovI'm partially here14:53
*** chmartinez has quit IRC14:53
chmartinez_I'm here14:54
casanch1:)14:55
DinaBelovao/, cool :)14:56
bauzastic tac15:01
Nikolay_StDinaBelova:it's time15:01
*** ddyachkov has joined #openstack-climate15:02
*** Nikolay_1t has joined #openstack-climate15:09
*** Nikolay_St has quit IRC15:09
*** casanch1 has quit IRC15:13
*** Nikolay_1t has quit IRC15:50
*** casanch1 has joined #openstack-climate15:58
*** ddyachkov has quit IRC15:59
*** bauzas has quit IRC16:05
swann_casanch1: FYI .. need to rebase on master (with minor confict) your patch https://review.openstack.org/#/c/73363/216:07
*** DinaBelova is now known as DinaBelova_16:11
*** DinaBelova_ is now known as DinaBelova16:22
*** DinaBelova is now known as DinaBelova_16:40
casanch1swann_: ok,will do17:13
*** DinaBelova_ is now known as DinaBelova17:19
openstackgerritCristian A Sanchez proposed a change to stackforge/climate: Update openstack.common with latest oslo-incubator  https://review.openstack.org/7336317:28
casanch1swann_: done17:29
casanch1swann_: thanks for catching that17:30
*** YorikSar has quit IRC18:00
*** casanch1_ has joined #openstack-climate18:04
*** casanch1 has quit IRC18:05
*** casanch1_ is now known as casanch118:07
*** casanch1 has quit IRC18:11
*** YorikSar has joined #openstack-climate18:38
*** casanch1 has joined #openstack-climate19:01
*** YorikSar has quit IRC20:27
*** YorikSar has joined #openstack-climate20:48
*** chmartinez_ has quit IRC20:49
*** casanch1 has quit IRC21:24
*** DinaBelova is now known as DinaBelova_21:48

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!